Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols - PowerPoint PPT Presentation

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols

MPC Protocols

MPC Protocols Yao’ s Garbled Circuit : 2-Party SFE secure against passive adversaries

MPC Protocols Yao’ s Garbled Circuit : 2-Party SFE secure against passive adversaries Using OT and PRG

MPC Protocols Yao’ s Garbled Circuit : 2-Party SFE secure against passive adversaries Using OT and PRG Today

MPC Protocols Yao’ s Garbled Circuit : 2-Party SFE secure against passive adversaries Using OT and PRG Today Passive-secure GMW protocol: Generalizes to any number of parties, uses OT only

MPC Protocols Yao’ s Garbled Circuit : 2-Party SFE secure against passive adversaries Using OT and PRG Today Passive-secure GMW protocol: Generalizes to any number of parties, uses OT only Passive-secure BGW protocol: Doesn’ t even use OT, but relies on honest-majority

MPC Protocols Yao’ s Garbled Circuit : 2-Party SFE secure against passive adversaries Using OT and PRG Today Passive-secure GMW protocol: Generalizes to any number of parties, uses OT only Passive-secure BGW protocol: Doesn’ t even use OT, but relies on honest-majority Going from passive to active security

Basic GMW

Basic GMW Adapted from the famous Goldreich-Micali-Wigderson (1987) protocol (by Goldreich-Vainish, Haber-Micali,…)

Basic GMW Adapted from the famous Goldreich-Micali-Wigderson (1987) protocol (by Goldreich-Vainish, Haber-Micali,…) Idea: Evaluate a circuit with wire values secured using (linear) secret-sharing

Recall Secret-Sharing

Recall Secret-Sharing Fix any “secret” s. Let a, b be random conditioned on s = a + b. (All elements from a finite field.)

Recall Secret-Sharing Fix any “secret” s. Let a, b be random conditioned on s = a + b. (All elements from a finite field.) Each of a, b by itself carries no information about s. (e.g., can pick a at random, set b = s - a.)

Recall Secret-Sharing Fix any “secret” s. Let a, b be random conditioned on s = a + b. (All elements from a finite field.) Each of a, b by itself carries no information about s. (e.g., can pick a at random, set b = s - a.) Will write [s] 1 and [s] 2 to denote shares of s

Computing on Shares

Computing on Shares Let gates be + & ⨉ (XOR & AND for Boolean circuits)

Computing on Shares Let gates be + & ⨉ (XOR & AND for Boolean circuits) Plan: shares of each wire value will be computed, with Alice holding one share and Bob the other. At the end, Alice sends her share of output wire to Bob. u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares Let gates be + & ⨉ (XOR & AND for Boolean circuits) Plan: shares of each wire value will be computed, with Alice holding one share and Bob the other. At the end, Alice sends her share of output wire to Bob. [w] 1 [w] 2 u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares Let gates be + & ⨉ (XOR & AND for Boolean circuits) Plan: shares of each wire value will be computed, with Alice holding one share and Bob the other. At the end, Alice sends her share of output wire to Bob. w [w] 1 [w] 2 u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares Let gates be + & ⨉ (XOR & AND for Boolean circuits) Plan: shares of each wire value will be computed, with Alice holding one share and Bob the other. At the end, Alice sends her share of output wire to Bob. w = u + v : Each one locally computes [w] i = [u] i + [v] i w [w] 1 [w] 2 + u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares Let gates be + & ⨉ (XOR & AND for Boolean circuits) Plan: shares of each wire value will be computed, with Alice holding one share and Bob the other. At the end, Alice sends her share of output wire to Bob. w = u + v : Each one locally computes [w] i = [u] i + [v] i w [w] 1 [w] 2 + + + u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares w ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares What about w = u ⨉ v ? w ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares What about w = u ⨉ v ? Want [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) w ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares What about w = u ⨉ v ? Want [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Alice picks [w] 1 . Can let Bob compute [w] 2 using the naive protocol for small functions w ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares What about w = u ⨉ v ? Want [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Alice picks [w] 1 . Can let Bob compute [w] 2 using the naive protocol for small functions w [w] 1 ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares What about w = u ⨉ v ? Want [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Alice picks [w] 1 . Can let Bob compute [w] 2 using the naive protocol for small functions F w [w] 1 ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares What about w = u ⨉ v ? Want [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Alice picks [w] 1 . Can let Bob compute [w] 2 using the naive protocol for small functions F w [w] 1 [w] 2 ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

Computing on Shares What about w = u ⨉ v ? Want [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Alice picks [w] 1 . Can let Bob compute [w] 2 using the naive protocol for small functions Bob’ s input is ([u] 2 ,[v] 2 ). Over the binary field, this requires a single 1-out-of-4 OT. F w [w] 1 [w] 2 ⨉ u v [u] 1 [v] 1 [u] 2 [v] 2

GMW: many parties

GMW: many parties m-way sharing: s = [s] 1 +…+ [s] m Allows security against arbitrary number of corruptions

GMW: many parties m-way sharing: s = [s] 1 +…+ [s] m Allows security against arbitrary number of Addition, local as before corruptions

GMW: many parties m-way sharing: s = [s] 1 +…+ [s] m Allows security against arbitrary number of Addition, local as before corruptions Multiplication: For w = u ⨉ v 
 [w] 1 +..+ [w] m = ( [u] 1 +..+ [u] m ) ⨉ ( [v] 1 +..+ [v] m ) Party i computes [u] i [v] i For every pair (i,j), i ≠ j, Party i picks random a ij and lets Party j securely compute b ij s.t. a ij + b ij = [u] i [v] j using the naive protocol (a single 1-out-of-2 OT) Party i sets [w] i = [u] i [v] i + Σ j ( a ij + b ji )

GMW: with active corruption Original GMW approach: Use Zero Knowledge proofs (next time) to force the parties to run the protocol honestly Needs (passive-secure) OT to be implemented using a protocol Alternate constructions give information-theoretic reduction to OT, starting from passive-secure GMW Recent approach: pre-compile the circuit

Passive-Secure GMW: Closer Look

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 )

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Computing shares a 12 , b 12 s.t. a 12 + b 12 = [u] 1 ⋅ [v] 2 :

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Computing shares a 12 , b 12 s.t. a 12 + b 12 = [u] 1 ⋅ [v] 2 : Alice picks a 12 and sends (-a 12 , [u] 1 -a 12 ) to OT. Bob sends [v] 2 to OT.

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Computing shares a 12 , b 12 s.t. a 12 + b 12 = [u] 1 ⋅ [v] 2 : Alice picks a 12 and sends (-a 12 , [u] 1 -a 12 ) to OT. Bob sends [v] 2 to OT. What if Alice sends arbitrary (x,y) to OT? Effectively, setting a 12 = -x, [u] 1 ’ = y-x.

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Computing shares a 12 , b 12 s.t. a 12 + b 12 = [u] 1 ⋅ [v] 2 : Alice picks a 12 and sends (-a 12 , [u] 1 -a 12 ) to OT. Bob sends [v] 2 to OT. What if Alice sends arbitrary (x,y) to OT? Effectively, setting a 12 = -x, [u] 1 ’ = y-x. What Bob sends to OT is [v] 2 ’

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Computing shares a 12 , b 12 s.t. a 12 + b 12 = [u] 1 ⋅ [v] 2 : Alice picks a 12 and sends (-a 12 , [u] 1 -a 12 ) to OT. Bob sends [v] 2 to OT. What if Alice sends arbitrary (x,y) to OT? Effectively, setting a 12 = -x, [u] 1 ’ = y-x. What Bob sends to OT is [v] 2 ’ i.e., arbitrary behavior of Alice & Bob while sharing [u] 1 ⋅ [v] 2 correspond to them locally changing their shares [u] 1 and [v] 2

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Arbitrary behavior of Alice while sharing [u] 1 ⋅ [v] 2 and [u] 2 ⋅ [v] 1 corresponds to her locally changing her shares of u and v

Passive-Secure GMW: Closer Look Multiplication: [w] 1 + [w] 2 = ( [u] 1 + [u] 2 ) ⨉ ( [v] 1 + [v] 2 ) Arbitrary behavior of Alice while sharing [u] 1 ⋅ [v] 2 and [u] 2 ⋅ [v] 1 corresponds to her locally changing her shares of u and v Alice changing her share from [u] 1 to [u] 1 ’ is effectively changing u to u+ Δ u , where Δ u = [u] 1 ’ - [u] 1 depends only on her own view